I'm a newbie to software security. I'm designing a network and I was wondering is it possible to detect if a program upgrade being downloaded on the network is malicious just by analyzing the structure of the downloaded executable?

I tried some literature search but couldn't find much. Any help is highly appreciated. Thank you!

On linux, the command rm -rf / will wipe your computer. rm is a binary somewhere, and works by accessing the "delete file" api. Malware that wipes your entire drive would also use the "delete file" api. Does rm count as malicious?
– Clockwork-MuseFeb 12 at 4:22

Imagine if it were a simple PD controller that you needed to update. Then you could have a way of analyzing if you are updating the right thing. Doesn't that work?
– user1690356Feb 12 at 15:44

From my understanding, for a simpler device, the problem is that they are too simple. Modern antivirus detect signatures of complex machine programs cause they are profitable. It is like getting reverse shell using telnet(GTFOBins), legal but unethical, whereas in pc, programs are complex enough to be detected.
– Kumar AmanFeb 12 at 16:11

In general, no it is not possible. You might be able to get some benefit from a network intrusion detection system (ex: snort) or some anti-virus software. But nothing will guarantee safety. For the most critical of infrastructure, you should verify the hashes that have been cryptographically-signed by the software vendors. Short of that, at least make sure that you download from trusted HTTPS sites that publish SHA hash keys, and compare the SHA with the file you download.

All that being said, if the software vendor is malicious there isn't anything you can do to detect it. Rely on your government's legal system, and only work with software vendors which are subject to their laws.

There are solutions available that provide real-time sandboxing* for files and applications. They are extensively used in mail filtering and malware analysis. Cuckoo is one of them, which is free and can be integrated in various solutions. Consider this, because most product titles that come to my mind right now cost K's :$

*Sandboxing is a technique which uses real time virtual environments to run and test a file for malicious behaviour.